BKIS reports that Adobe's fix for the launch action exploit affecting PDF-viewing software such as Adobe Reader and Acrobat can be circumvented.
A security researcher has found a way to circumvent Adobe Systems' effort to
address the /Launch action issue that made headlines a few months ago.
In the recent
update for Adobe Acrobat and Reader,
the company sought to thwart any
attempts to use a PDF reader's "launch" command to run embedded
executables. However, BKIS Senior Security Researcher Le Manh Tung has found
that the Adobe
fix can be circumvented
if an attacker modifies the code by adding quotes
to the parameters passed to /F, for example if /F(cmd.exe) becomes /F("cmd.exe").
"With the quotes added, Adobe Reader will not block the execution ... After
pressing Open, cmd.exe will be executed!!! So, Adobe Reader Version 9.3.3 has
fixed the fake warning message, but the threat of exploit code execution still
remains," Tung blogged.
Though technically not considered a vulnerability-the functionality is
defined in the PDF specification (ISO
PDF 32000-1:2008)-the situation has been exploited by attackers, and was seen
being used in April in an effort to infect
users with the Zeus Trojan.
According to Adobe Director of
product security and privacy Brad Arkin, Adobe determined disabling the ability to open non-PDF file attachments
with external applications by default would hurt its customers.
"As an alternative, we added attachment blacklist functionality to
block attempts to launch executables or other harmful objects by default,"
Arkin wrote. "While blacklist capabilities alone are not a perfect
solution to defend against those with malicious intent, this option reduces the
risk of attack, while minimizing the impact on customers relying on workflows
that depend on the launch functionality. We will evaluate this workaround to
determine whether additional changes to the blacklist are required."
When users attempt to open an executable or other blacklisted file type, an
error message will appear, he added. In addition, the way the warning dialog
requesting user permission to launch non-PDF file attachments with external
applications works has been changed to prevent attackers from inserting their
The flaw can be fixed by standardizing the parameter string passed to
/Launch before comparing it with a blacklist, Nguyen Minh Duc, director of
security at BKIS, told eWEEK.